CVE-2025-12684 — Cross-site Scripting

CWE-79 — Cross-site Scripting4 documents4 sources

Severity

7.1HIGHNVD

EPSS

0.1%

top 80.00%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

No affected products listed

Timeline

PublishedDec 15

Description

The URL Shortify WordPress plugin before 1.11.3 does not sanitize and escape a parameter before outputting it back in the page, leading to a reflected cross site scripting, which could be used against high-privilege users such as admins.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:LExploitability: 2.8 | Impact: 3.7

🔴Vulnerability Details

GHSA

GHSA-6hp6-j394-rmqr: The URL Shortify WordPress plugin before 1↗2025-12-15

▶

CVEList

URL Shortify < 1.11.3 - Reflected XSS↗2025-12-15

▶

🕵️Threat Intelligence

Wiz

CVE-2025-12684 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶